Cisco Cisco Web Security Appliance S670 Fehlerbehebungsanleitung

Contributed by Cisco TAC Engineers.

Oct 13, 2014

Problem
Environment
Symptoms
     How This Impacts the WSA
Solution
Appendix

Customers using transparent proxy must actively decrypt traffic in order to distinguish between YouTube.com
and Google.com.

Transparent Proxy deployment, HTTPS Proxy enabled

Previously, Google used different SSL server certificates for each of their primary domain names. So if you
connected to https://www.google.com and https://www.youtube.com, you would see different server
certificates, each specifying that they are valid for one of those two domains.

Recently, Google has switched to using a single SSL server certificate for all of their web properties, signed
by their own in−house CA. So if you browse to the two domains listed above using SSL, you will get the
same certificate. That certificate uses an extension to X.509 called "SubjectAltName" to list a few dozen
domains as valid for that certificate. A full list of Google domains that are valid for this new certificate is
below.

This works fine for browsers: your browser knows it is trying to connect to youtube.com, it sees a certificate
that is valid for youtube.com (and a dozen other things), and it lets the connection go through without any
warnings.

For any proxy server, the first thing you need to do when you see a request from a client is determine what
web destination that client is trying to go to. For plain HTTP, it is pretty easy: look at the Host header in the